ONE Runtime Server 14.5.1 Upgrade Notes
Spring Boot 3 upgrade
ONE Runtime Server now uses Spring Boot 3. If you are using Keycloak Security or Spring Security, additional configuration changes are needed in the HTTP Dispatcher configuration or the Spring Security XML file respectively.
Keycloak Security
The following configuration options have changed in the HTTP Dispatcher component:
-
identityProviders
element is no longer used. For backward compatibility, you do not need to change your configuration if it meets the following conditions:-
It contains only one
identityProvider
element within it, provided that theidentityProvider
uses the default pattern attribute (pattern="/**"
). -
The
identityProvider
uses the default pattern (/**
).Otherwise, the server does not start and the following error message is logged: Field identityProviders is now deprecated. Please use identityProvider instead
.
-
-
pattern
attribute in theidentityProvider
element is no longer used. For backward compatibility, as explained earlier, you do not need to remove it if it is set to the default value and there is only oneidentityProvider
defined. -
roleMapping
attribute is added, which determines how roles are retrieved from Keycloak. The default valuerealm_access.roles
is used if no value is not set in the server configuration.In addition, the following settings must be enabled in Keycloak Admin Console:
-
In Client Scopes > [role], on the Settings tab, enable Include in Token Scope.
-
In Client Scopes > Mappers > [realm roles]:
-
Enable Add to ID token and Add to userinfo.
-
Check whether Token Claim Name matches the value of
roleMapping
.
-
To verify your setup, you can navigate to Clients > [your client ID] > Client Scopes > Evaluate > [user] and select Evaluate. The sections Generated ID Token and Generated User Info should contain the necessary roles.
If you start the server with incorrect settings, the same instructions are available in the server log.
-
-
If Keycloak properties are loaded from
keycloak.json
or the runtime configuration, only the following properties are taken into account:resource
(the client ID in Keycloak),realm
,auth-server-url
,credentials
, andsecret
(for authenticating to Keycloak clients). Other properties (such asssl-required
andconfidential-port
) are ignored. -
loginUrl
attribute in thesecurityFilter
element is no longer used. It is ignored if it is still present in the configuration. -
usePlatformDeployment
element is added for cloud deployments, which is used to enable different security settings on different endpoints on the server. This is typically needed for RDM in cloud deployments to enable InternalJWT authentication for internal communication between ONE modules. The settings are preconfigured and no user action is needed.For more detailed information and configuration samples, see HTTP Dispatcher.
Spring Security
Update your Spring Security XML configuration file based on the sample provided in step 2 in Spring Security Configuration, section Define the Spring Security XML configuration cile.
In addition, create a new users.properties
file (see step 4 in Spring Security Configuration, section Define Spring Security XML configuration file) and change the admin user password.
Was this page useful?